Skip to content

[Bug]: npm command pinning warnings from OpenSSF Scorecard #180

Closed
#181
Closed
[Bug]: npm command pinning warnings from OpenSSF Scorecard#180
#181
Labels
bugSomething isn't workingneeds-triageRequires triage and prioritization
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Jan 16, 2026

Component

Scripts

Bug Description

OpenSSF Scorecard analysis identifies npm command pinning warnings in our repository. Unpinned package installations create security and reproducibility risks:

  • Non-deterministic builds: npm install can resolve different dependency versions across runs
  • Supply chain vulnerability: Unpinned global packages (@vscode/vsce) may install compromised versions
  • Scorecard penalty: These warnings reduce our security score

Affected Files:

File Line Current Command Issue
.devcontainer/scripts/post-create.sh 10 npm install Should use npm ci
.github/workflows/extension-package.yml 56 npm install -g @vscode/vsce Missing version pin
.github/workflows/extension-publish.yml 128 npm install -g @vscode/vsce Missing version pin

Expected Behavior

  1. Replace npm install with npm ci in devcontainer script (uses lockfile for deterministic installs)
  2. Pin @vscode/vsce to version 3.7.1 in GitHub Actions workflows
  3. OpenSSF Scorecard npm pinning warnings resolved
  4. Deterministic, reproducible builds
  5. Improved supply chain security posture

Steps to Reproduce

  1. Run OpenSSF Scorecard analysis on repository
  2. Review npm pinning warnings in output
  3. Check referenced files for unpinned commands

Additional Context

Research documented in .copilot-tracking/research/20260115-npm-pinning-research.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingneeds-triageRequires triage and prioritization

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions